Posted
by
CowboyNeal
on Thursday February 26, 2004 @06:37PM
from the permission-to-redirect-web-users-please dept.

camusflage writes "Yahoo's running a story about VeriSign suing ICANN for holding up Sitefinder. Choice quote from VeriSign: 'This brazen attempt by ICANN to assume 'regulatory power' over VeriSign's business is a serious abuse of ICANN's technical coordination function.'"

The Internet Corporation for Assigned Names and Numbers has no authority to prevent VeriSign from rolling out a search engine for users who mistype Internet addressees, VeriSign said, as well as another feature that allows users to sign up for a waiting list for desirable domain names.

Nice and misleading explanation right there. We're talking about a 'search engine' that impacts any internet application querying a non-existent domain. Once again, the "THE INTERNET IS ONLY THE WEB" mindset that low-grade tech journalism seems to be stuck in is preventing people from realizing the destructive nature of something as profound as adding a wildcard to major TLDs.

"This brazen attempt by ICANN (news - web sites) to assume 'regulatory power' over VeriSign's business is a serious abuse of ICANN's technical coordination function," said VeriSign in the suit, which was filed in U.S. court in Los Angeles.

Errmm... Last I checked, regulating internet infrastructure with regards to assigned names and numbers is ICANN's job. Anything less than a "brazen attempt" and they would be failing at enforcing the RFCs and other regulations they've been entrusted to enforce. Since when do Verisign's business interests trump this?

Though ICANN restructured itself to operate more efficiently last year, a VeriSign official said the group was still too cumbersome.

"Working the ICANN process is like being nibbled to death by ducks," said Tom Galvin, VeriSign's vice president for government relations. "It takes forever, it doesn't make sense, and in the end we're still dead in the water."

At least they respond to complains with action, instead of stonewalling anyone who disagrees with them, as Verisign so eagerly did when the SiteFinder controversy first broke.

Screw Verisign. I've seen plenty of companies with brazen, my-way-or-the-highway attitudes, but this one is entrusted with managing a major international public resource, and have been caught with their pants down abusing that trust. To whine like this is a sign of just how out of step Verisign really is. Frankly, they deserve to have all authority over the root servers taken away from them before they do more harm in their quest for profits.

I agree with your views... However, I would suggest we simply get rid of verisign, ICANN, and every other company that can hold the internet hostage. I don't have a good replacement strategy in mind yet, but there's got to be a solution that doesn't leave a single company holding all the cards. Distributed administration of the internet? Is that possible? I don't know, I'm not a network theorist (or whatever the official title for that would be.)... anyone care to explain why we have a single entity in charge?

1) Public IP addresses must be globally unique. If they weren't, routing traffic would be effectively impossible

2) Public DNS names must be globally unique. This one isn't nearly as obvious as addressing, but it's still clear once you think about it, and is even enshrined into one of the RFC's on the subject.

Given that we require uniqueness, someone has to manage the systems to check that uniqueness and dole out addresses (both IP and names). That task fell to ICANN, who have since sub-contracted that work out to other entities. But still, someone has to run the central database, or there'd be chaos.

1) Public IP addresses must be globally unique. If they weren't, routing traffic would be effectively impossible

Incorrect. Addresses need not be unique at all,

Indeed one can make very good use of non-unique addresses. Quite a few of the IP addresses for the root DNS servers (eg those operated by ISC) are assigned to multiple different computers, diversely located geographically. Go google for "anycast". The 6to4 relay service also uses a public, non-unique address (ie anycast) for the 6to4 gateway.

Any stateless network service can be deployed using anycast addresses.

1) Public IP addresses must be globally unique. If they weren't, routing traffic would be effectively impossible

Incorrect. Addresses need not be unique at all,

Indeed one can make very good use of non-unique addresses. Quite a few of the IP addresses for the root DNS servers (eg those operated by ISC) are assigned to multiple different computers, diversely located geographically. Go google for "anycast". The 6to4 relay service also uses a public, non-unique address (ie anycast) for the 6to4 gateway.

Any stateless network service can be deployed using anycast addresses.

But everything at that specific address is seen as effectively one server. Addresses don't need to be distinct per physical machine, they need to be distinct per logical server. Two different servers (probably owned by different people) having the same address wouldn't work too well, how would you say which one you wanted to talk to?

Addresses don't need to be distinct per physical machine, they need to be distinct per logical server.

Define a logical server? Providing a unique and coherent service? No, that isnt needed. You could use anycast for anything such that you are directed to the topologically closest host. (where "topologically closest" is defined by routing). Eg, you could setup an anycast address for "PGP public key server", or "web proxy" or "SMTP server", etc. Indeed, let me clarify my remark on statelessness - it is easiest to use anycast for stateless services, however one could use them for stateful services too, provided one had control over the stability of the topology. (eg a corporate, geographically diverse network, where topology changes were infrequent, could use anycast addresses to direct mobile users to the closest host providing a service).

Two different servers (probably owned by different people) having the same address wouldn't work too well, how would you say which one you wanted to talk to?

You dont, that's the entire point of anycast. Instead the routing domain picks the best host for you.

When you lookup slashdot.org you are looking up 'slashdot' inside the 'org' domain. To do that you need to know who knows about 'org'

Every domain name server has a list of root IP addresses, this is where he can find the ip address of the server that knows about 'org' and other domains.

The servers in that small list get a lot of traffic. Some are owned by the US military, other are owned by universities, etc. It's undoable for most for-profit organisations to fund such a machine (typically mainframes are used) or even its internet connection.

We do need a central authority to regulate the IP address ranges and adherence to RFCs such as the one in question here (DNS) that form the back bone of the internet, at least until we have something better.

In this case the ICANN has done its job, thankfully. Perhaps it's not a completely lost cause after all.

"Working the ICANN process is like being nibbled to death by ducks," said Tom Galvin, VeriSign's vice president for government relations. "It takes forever, it doesn't make sense, and in the end we're still dead in the water."

I wonder if Tom Galvin and Darl spend late nights together working on clever metaphors to use in press releases related to their lawsuits...

I wonder if Tom Galvin and Darl spend late nights together working on clever metaphors to use in press releases related to their lawsuits...

Well, considering that the expression "nibbled to death by ducks" isn't anything new, I'd say not.

No, wait. If he's learning from Darl, then next thing we're going to see from Verisign is a lawsuit against Robert Campbell, J. Michael Straczynksi, and anyone else who hasn't paid $699 to use the expression...

Frankly, they deserve to have all authority over the root servers taken away from them before they do more harm in their quest for profits.

Your comment is otherwise excellent, but this line deserves correction. Verisign does *not* have control over the root servers*. ICANN does. This is an important distinction because control over the root servers is what gives ICANN it's authority. What Versign DOES control are the so-called 'GTLD' servers, which serve the.com and.net zones. (and the.org zone, once upon a time) And it's on those zones they are acting unilaterally. Sitefinder, when it was active, only worked on non-existant.com and.net hostnames, no others

*footnote: Verisign does, however, operate 2 of the root servers, A and J. In fact, Verisign operates them quite well, and in co-operation with the other root-server operators. But all root servers have the same data, provided by ICANN. The list of root servers (and who operates them) can be found here [root-servers.org].

Effectively Verisign has pointed an infinite number of url's at their ip block... therefore they should owe someone an infinite amount of money for those url's. If I have to pay for mine, then they should have to pay for theirs.

Since we have just bankrupted Verisign, then a legitamate company can take over their job of controlling the GTLD servers for.com and.net - just my $0.02

Frankly, they deserve to have all authority over the root servers taken away from them before they do more harm in their quest for profits.

a lot of people don't know this but verisign's root server isn't the only game in town, these root servers [wikipedia.org] offer many alternatives. If enough people make an end run arround their monoply, their authority will diminish as well as any brazen behavior. If you need instructions on how to do this OpenNIC [unrated.net] has detailed instructions.

Last I checked, regulating internet infrastructure with regards to assigned names and numbers is ICANN's job.

Yeah. I don't know what's going on in these verisign people's minds.

I remembered them stopping the service because of ICANN issuing warnings and threatening to sue. It's not like ICANN literally forced them to shut that nasty service down (they should have that power, by the way).

If a customer's Port 80 web application sends Verisign a DNS request for a missing site, and Verisign responds with a pointer to Sitefinder, and the customer's application sends an HTTP:80 request to Sitefinder, and Sitefinder responds with a web search page, it's greedy and not correct, but mostly harmless and sometimes helpful.

If a customer's Port 443 Secure Web application sends Verisign a DNS request for a missing site, and Verisign responds with a pointer to Sitefinder, and the customer's application sends Sitefinder a request, it's potentially a serious security breach (though not usually, because usually the connection fails before anything important gets sent.)

If a customer's email application sends Verisign a DNS request for a missing site, and Verisign responds with a pointer to Sitefinder, and Sitefinder's email application rejects the connection, it's broken in ways that are mildly to seriously annoying.

And if some other application (even HTTP on port!=80) that Sitefinder doesn't support sends Verisign a DNS request, and Verisign responds with a pointer to Sitefinder, that's badly broken.

If Verisign can't tell the difference between the applications which it helps and the applications it breaks, which they can't, they'd better not go breaking things, and if they break them they should be fired.

Just put together CGIs that produce lots of invalid E-mail addresses that appear real and wait for them to be harvested by SPAMbots. Eventually there would be an awful lot of SPAM being sent to the One True Incorrect Address. Web spiders could be fooled into DoSing by pages full of invalid links.

It used to be that if I site wanted to generate traffic it would have have to find an obscure misspelling not yet taken, or provide meaningful content. Verisign's program effectively allows them to turn ALL misspellings and unclaimed domains into a revenue stream. That sounds like abuse of their power to me.

ICANN has made numerous unpopular decisions throughout its corporate life. So has VeriSign. This is truly a battle of two evils. Which one is the lesser evil, in your opinion?

In my own personal view, I do hope ICANN emerges from this lawsuit as the "victor". If VeriSign were to win its request for an injunction against ICANN, and on the broader claim that ICANN "unlawfully transformed itself from a technical coordination body to the de-facto Internet regulator," I feel it would have far-reaching implications for all of us. It would effectively muzzle ICANN and give VeriSign free reign to do as it pleases with the Internet -- at least until a legislative change was made, such as making ICANN into a government regulatory agency similar to the FCC. Mind you, that might be a good thing. It might force the Bush administration's conservative laissez-faire approach to Internet governance to get a dramatic overhaul and become more regulatory. Another plus to ICANN becoming a taxpayer-funded government regulatory body, it could keep its acronym and be enshrined into law as the Internet Commission for Assigned Names and Numbers. Or, it could become the Internet Naming and Numbering Agency -- or INNA.

Nonetheless, this will be a bitter battle.

It also has high stakes for VeriSign. If VeriSign is unsuccessful, it will almost certainly ensure that the dot-net gTLD is redelegated to a new operator later this year.

My take,Doug

P.S. Copies of the complaint:http://www.politechbot.com/docs/verisi gn.complaint.p1of2.022604.pdf

Man, I never support people that try to stamp-out others opinions, but what is wrong with you? You _WANT_ Bush and his techno-challenged administration to have the responsibility of putting together an organization that manages the WHOLE internet? Thats scary.

Re. your question--I think it's simple. ICANN is the lesser of two evils. Being swayed by corporate interests is bad, but not as bad as when the corporate interest is yourself (as is the case with Verisign).

Having said that, I don't think making it a gov't institution would solve anything. There have been many situations where gov't regulation has helped us, but when has the gov't taken over a previously private role and done a better job?

Although the free market can't solve every problem, this seems like a case where elegant legislation might make the difference. Now, Verisign has a monopoly on.com domain registration. But why should they? Shouldn't that position be open for bidding? Or have term limits? If a company only has a short window of time in which it controls domain registration, or if there are repercussions for abusing its power, that company will likely be cautious about enacting drastic infrastructure changes of the type Verisign is implementing.

(By the way, people often use the $ as a derogatory marker for an entity they don't like, such as Micro$oft or the Church of $cientology, so why not Veri$ign as well?)

Government control of public transport has simply allowed hiding the true cost behind a tax structure - it's great for those that make use of it to not have to bear the full costs - but rather unfair to all those who have no choice in the matter to foot the bill regardless.

As opposed to private transport, where none of the costs are hidden? Pretty much every form of transit, public, private, mass, or individual, suffers from the same problem. You think the cost of mass transit is hidden in the taxes we pay? Have you any idea how incredibly hugely more everybody pays to support the highway system? Cars are the most highly subsidized form of transit in existence outside of space travel. Similarly, all those airports we build cost a hell of a lot of money - most of which usually comes from public bonds. There are very few transport systems that are actually privately funded - practically all are publicly funded in one way or another (I would say oceangoing transit has been kept mostly private, but historically many ships have been partially funded by governments, especially lately, and modern seaport facilities cost huge amounts of money, meaning most of those are largely or partially publicly funded).

So yes, public transit does hide its true cost behind a tax structure to some extent, but so does pretty much every form of private transit (how many sidewalks and bikepaths do you know of that were paid for by private companies?).

>...at least until a legislative change was made,> such as making ICANN into a government regulatory> agency similar to the FCC. Mind you, that might be> a good thing.

So you are looking forward to being required to get a license for your Web site and a permit for your mail server? I'm sure Verisign will be ready to expedite the application process for their customers.

So you are looking forward to being required to get a license for your Web site and a permit for your mail server?

I know it's bad to restrict people like that, but DAMN that would make the internet a paradise (if regulated properly) especially the 'permit for your mail server'. In fact, tell me again why this is bad? We've proven ourselves to be incapable of managing our servers responsibly so far...

A simple question. Verisign is just a sub-contractor. Why haven't they been fired over site finder, and why do they believe they won't be fired now?

If they are being paid to do a job, they have to do the job they way they are told to do it, or quit/get fired. Right? Why is this any different just because the employee is really a multi-billion dollar corporation?

Since when does "the right to innovate" equate to the right to rewrite job requirements?

What if other companies did similar things?
What if companies involved with the stock market used their insider info to give them a step-up when it comes to which stocks to buy and sell? Yeah, its a bad idea.
Same here.

From the article:"Working the ICANN process is like being nibbled to death by ducks," said Tom Galvin, VeriSign's vice president for government relations. "It takes forever, it doesn't make sense, and in the end we're still dead in the water."

"Working the ICANN process is like being in deep space with a broken hyperdrive and a pair of arguing Wookies" said Tom Galvin, VeriSign's vice president for government relations. "It takes forever, it doesn't make sense, and in the end we're still dead in the water."

The Internet Corporation for Assigned Names and Numbers has no authority to prevent VeriSign from rolling out a search engine for users who mistype Internet addressees, VeriSign said, as well as another feature that allows users to sign up for a waiting list for desirable domain names.

Hey Verisign: We don't care if you want to make a search engine for miss-spelled domains, nor do we care if you want to setup a domain name waiting list. In fact the only thing that bothers anyone is that you're breaking DNS to force us to use them.

If this was really about setting up a search engine and nothing else they could just register vs-sitefinder.com and vs-domain-wait-list.com and be in business. Instead they insist on pissing on their responsibility to maintain a functional DNS system in order to achieve some sort of edge over the competition.

Is there some sort of contest for the most hated corporation going on between Microsoft, SCO, and Verisign?

What most people see is that this is just an extended version of IE's built in search that throws you to MicroSoft's search engine (which sucks), so they don't see the implications for all the REAL internet applications that don't run through a web browser.

I think this whole Verisign/ICANN thing, perhaps better than most recent examples of high-profile disputes in the tech industry, illustrates what a fundamental disconnection there is between the computer sophisticates and average, well-educated newspaper readers.

Even in this article, which is reasonably technically sophisticated, Verisign's SiteFinder is almost invariably described in terms which suggest it was just a helpful service for lost souls (people who'd typed a wrong URL) instead of being recognized for what it is, an aggressive land grab and a ridiculous abuse of monopoly power.

It's not like newspapers are in VeriSign's pockets or anything. Why is that so few of them seem to understand how bad what VeriSign did is?

Because newspapers don't have good tech writers. How would they? The people in charge of hiring them don't know what to look for, anyone who knows a little more than the employer will look like an expert.

Similarly for SCO. Their claims sound quite reasonable if you don't read what other parties say about it. This is why objectiveness and freedom of speech are so important.

There was an article in the Dutch newspaper Metro a while ago, reporting on research findings that claimed 85% of Dutch individuals and corporations saw virus protection as the responsibility of ISPs. This is a ridiculous preposition, considering that virii spread just fine without ISPs, and ISP don't and shouldn't have any business restricting what traffic goes to my network.

I wrote a letter to the paper explaining this, blaming the spread of virii on people using faulty software, from suppliers negligent to release patches, and users not applying them. I also mentioned alternatives. The posted the letter (omitting the alternatives; sadly, as I don't like pointing out problems without proposing solutions), and I hope it has helped people gain some more insight. I intend to post the letter (and a translation) on my website.

And general society is pig-ignorant when it comes to computers and technology. A reasonable percentage can do the obvious things with technology that corporations have spent billions making as easy as plug and play, but by and large they remain totally ignorant when it comes to even the most basic explanations of how technology works.

Furthermore, there's a significant number of people who hold the notion that knowing "how things work" somehow makes you some kind of commoner or blue collar schmuck, and unfortunately many of these people are in high-visibility leadership positions and they pass these attitudes down to their followers, spreading the misguided notion that ignorance of technology -- ANY technology -- somehow is evidence of your superior social or economic standing.

So I actually can't blame newspapers, other than that they're just reflecting the general ignorance of the general population (plus all the usual problems with in-depth facts and information gathering daily news media have).

I think it's up to us or some geek advocacy group to work the PR hard on this so that the news media gets a better idea of what's actually happening and how it hurts the internet. We know that Verisign will be more than willing to work THEIR PR resources to get their side of the story out.

Glad to see that the early hooting isn't only anti-VeriSign. People ought to consider that ICANN has been burying everything registries want to do in piles of bureaucracy, while trying to grab more and more money and power. ICANN should be reformed and stuck to technical operational issues rather than playing footsie [icannwatch.org] with international bureaucrats. Think of all the nonsense that would come from the ITU/U.N. getting its mitts on "Internet governance," which is being discussed in Geneva today and tomorrow [itu.int]. VeriSign is no angel, but if it can take ICANN down a notch, I'm for it.

This sort of problem could have been forseen. Even though I hated their Sitefinder feature, they have a point. Since when does ICANN have the power to tell a business or person what they can or can't put on their page? It just so happens that this business is Verisign, who also runs part of the internet.

This is where the problem is. Why is a business running these domain names? That seems like a conflict of interest to me. There needs to be non business regulatory commitees that run it. The issue certainly can't be finding money to do it.

Even though its a little annoying that Verisign wants to show their sitefinder, as a business, they have every right to do it.

This discussion reminds me of something on slashdot a while ago that I can't find that was something like "10 common misconceptions about the internet". The whole point was that the internet is just a network of computers, its that simple. This simplicity will vanish before our eyes if we have businesses running it.

Umm, they didn't tell them what they could put on a web page. What they told them was they couldn't insert a wildcard record in the.com and.net zones and redirect queries for EVERY NONEXISTENT DOMAIN in those zones to their servers, for every Internet service, not just web.

> Since when does ICANN have the power to tell a business or person what they can or can't put on their page?Since it's NOT their page. foobar4575368389.com is NO more verisign's page that it is anyone else's since the domain is not registered.sitefinder is not the problem. The problem is the default DNS entries which redirect connections to sitefinder.VeriSign used their access to the DNS they host *on behalf of ICANN*, to gain visibility for their sitefinder crap.Appart from being highly unfair to search engine competition, and ethically wrong, it also brings lot of technical issues for any protocol (which HTTP is only one of them) used on the Internet.

This may be a dumb question....but why do we need Verisign? I know they control some of the root servers, but why them? Couldn't the internet as a whole (if it could somehow come to an agreement), give those root servers to somebody else? The list of root servers is static. If everybody just changed the list all at once, their servers would suddenly become quiet and this would be a non-issue.

Of course, I realize that doing that would not be so straightforward, but such an effort would send a message...to Verisign and to anybody else that would try this kind of crap. Self-healing network, heal thyself!

The solution is to alter a DNS server so it examines the results it gets back from its parents, and if it's a BS Verisign auto-search response, tell the requestor that the domain doesn't exist. Then we all start running and/or pointing to a DNS server that runs this new & improved DNS server, and all is good.

Be sure to make the change modular so we can remove it when Verisign pulls their head out.

At what point does it make sense to start editting Verisign.com out of the internet? The basic ploy here seems to be to ride rough-shod over the concerns of the technical users and administrators who maintain the 'net, in the hopes that uneducated consumers will ignore the issue.

It seems to me that the thousands of sysadmins, ISP admins and so forth who read this site and feel the pain of Verisign's greed have an option here - alter our local DNS registries to point www.verisign.com etc to 127.0.0.1. Given enough people doing this and their business will start to feel the pain.

It would be a fine twist to this whole mess, and perhaps drive home to the PHB's at Verisign exactly how annoyed this makes those of us who understand the ramifications of their actions.

Or better yet, demonstrate how DNS MUST operate on mutual trust, by sending anybody trying to query www.verisign.com (and other associated names) to their competitors (on a random basis.) If Verisign wants to break DNS, they'll have to deal with the fact that anybody else down the chain between the root server and the user can break it equally as well.

Remember folks, we use DNS because it's useful. If it stops being useful, we can stop using it just as quickly.

Very often, when anyone tries to access a now non-existant web page, the ISP owning the relevant server will forward you to one of their home pages. Or maybe a web domain speculator will buy up a domain name, and use that to forward you to their search engine. Verisign could argue they're doing something similar. Obviously it's wrong, but it's more or less what other people are doing.

Very often, when anyone tries to access a now non-existant web page, the ISP owning the relevant server will forward you to one of their home pages.

They still return a 404 error, or at least, they're supposed to. Get Mozilla Firefox, download the Live HTTP headers extension, and you can verify this for yourself. Also, this is typically within a domain that does exist - it's just the page doesn't.

Or maybe a web domain speculator will buy up a domain name, and use that to forward you to their search engine. Verisign could argue they're doing something similar.

Ahh, but SiteFinder works even for domains that have NEVER existed. This means that Verisign is squatting on an almost-infinite number of domain combinations, which they haven't paid a cent for. As scummy and dispicable as webspammers are, this is scum and villany on a grand scale. Worse, it's scum and villany at a very low level - it doesn't just break HTTP, it breaks FTP, SMTP, and a host of other DNS-dependent protocols, AND it affects everyone running a DNS server by loading their cache tables with garbage.

Doesn't ICANN hold SOME authority over VeriSign about DNS? Can't ICANN just "pull the plug" and tell VeriSign to go take a hike while they find someone more competent to take care of the root DNS servers? I mean, this is getting more or less ridiculous and as far as I understand it, would severely hamper several spam-fighting techniques used, possibly other things as well.

Besides, isn't it possible to get rid of the whole root DNS server idea in the first place? The attack on the root servers a few months ago didn't do much damage but it made clear that IF the root server went down ( granted, for extended periods... ) that the internet would be flat on it's arse unless we started using IP adresses. ( Which doesn't solve the problem because of absolute linking used on some websites... Though it would allow other uses again like FTP, SSH, etcetera. ) So why not a root DNS p2p network then? Still the root idea as used for DNS now, but instead of querying a set of dedicated root servers, DNS servers lower in the hierachy would query a root p2p network instead. Give ISPs a server with access to the network, same thing for registrars & co and someone decides to be a prick with DNS records, have ICANN throw them off be severing all communications with the other party's DNS servers.

Can't ICANN just "pull the plug" and tell VeriSign to go take a hike while they find someone more competent to take care of the root DNS servers?

Yes, they can. And that's why when ICANN threatened them--back when Sitefinder was first turned on--that Verisign listened. Because, yeah, ICANN controls the root, and all authority flows from the root. (the root servers, that is)

As for your p2p root idea, well... To be blunt, it's a bit naive. First off, where does this p2p network get it's data? Remember, one of the critical ideas behind DNS is that the view is always consistent, there are no conflicting records. As in, www.exmple.com ALWAYS points to the same place, no matter who you ask. There is only one correct answer. (misconfigurations can prevent this, obviously, but that's the design of DNS). So you have to be worried about poisoning, authenticity, you have to trust this network. No current p2p network has my trust.

I give more reasons, but basically, the DNS system is set up right now with 46 root servers [roots-servers.net] (count 'em). These are generally a cluster of professionally managed servers, dedicated to a single, pretty simple task: Serving the 2000-odd records in the root zone, or returning a failure. That's it. Any suggestion of a p2p network, for it to be accepted, would have to show that this proposed ad-hoc network could provide the same performance and reliability that the current system does. Not to mention re-writing all this software that assumes DNS functions in it's current state.

To summarize, sure it SOUNDS like a good plan, but for it to actually be considered, it probably has to have actual technical details. And it wouldn't hurt if it came from someone more qualified than Armchair Internet Architect, such as you or I.

There's absolutely nothing wrong with Verisign putting up their Sitefinder search engine. What ICANN had an issue with is the mismanagement of the DNS entries. If I want sitefinder, I'll go to www.sitefinder.com. If I go to www.stiefinder.com, I want a "host/domain not found" error, not a search engine.

Verisign doesn't have a perpetual contract on the com/net gTLDs. Their contract on.net expires in 2005 and.com expires in 2007. The already lost.org to PIR [pir.org] last year, so it is plausible that they may lose.com and/or.net as well.

However, be careful what you ask for. PIR has proven themselves to be even more incompetant than Verisign. It was nice to see them move to EPP [coverpages.org], but if they had messed up a.com transition as much as they messed up the.org transition you'd have been crying on your knees to bring Verisign back.

"Today VERISIGN announced it will be suing ICANN for doing their job and preventing VERISIGN from illegally controlling and redirecting internet traffic, it has no legal right to, to their own product."

Methinks this would be somewhat similar to the US Government making all roads not privately owned lead to a government business.

I know, that sounds REALLY stupid - the government would NEVER do that. It's moronic to even think of something like that - but, essentially, is that not exactly what Verisign tried to do?

This also stinks of anti-competative monopolistic activity - as there are other 'site-finding' services out there. Such as Google, AltaVista, etc al... Yet Verisign would be the _only_ company able to perform a service utilizing this method - as they would be illegally tapping into property they do not own - unregistered domain names.

Stupid ICANN, what were they thinking! They act like they have "responsibility for Internet Protocol (IP) address space allocation, protocol identifier assignment, generic (gTLD) and country code (ccTLD) Top-Level Domain name system management, and root server system management functions."

The "power of audacity" is the order of the day in these Looking Glass times. When an individual person grabs the debate with outrageous claims, it's chutzpa - they can be ignored, jailed, and sometimes staked through the heart. But in a public environment with no real boundaries, millions of bloodthirsty lawyers on bottomless expense accounts, and some inane requirement for all issues to have "balance" between two untenable (and often contrived) extremes, unaccountable (and disaudited) corporations can get what they want by blowing over the top, and agreeing to split the difference, arriving squarely on target. And when they oppose people who merely defend reasonable positions closer to the middle than some self-selected extreme for balance, they win. Every time. Welcome to the abyss.

"They say ev'rything can be replaced,Yet ev'ry distance is not near.So I remember ev'ry faceOf ev'ry man who put me here.I see my light come shiningFrom the west unto the east.Any day now, any day now,I shall be released."
- Bob Dylan, "I Shall Be Released" [bobdylan.com]

I was dismayed to hear that Verisign has launched a lawsuit against ICANN over the termination of the Sitefinder service.

I realise that I am only one person, but hopefully you will receive sufficient numbers of messages in similar vein that you will reconsider this action. It can have only one outcome, and this will not be good for Verisign or its shareholders.

ICANN is a regulatory body specifically tasked with ensuring that the cooperative standards which embody the Internet are administered for the common good.

Verisign, being in a unique position of trust, introduced a service that rendered the entire domain name mechanism broken.

Although the service provided may possibly have been useful for web users, the Internet is most emphatically not just the web. By ensuring that nonexistent domain name lookups succeeded, Verisign circumvented the error handling provisions of a large number of IP-based software products.

You will have noticed at the time that the immediate response from many ISPs was to immediately place local detection and blocking of Sitefinder, in order to restore correct functionality to these applications in accordance with accepted practice. This caused a considerable amount of effort and cost to the businesses concerned, and is therefore a legitimate target for regulation, and the regulatory body in question was the ICANN.

To attempt to sue a regulatory body for doing its job correctly and effectively is, I am afraid, unlikely to show Verisign in a good light.

"Working the ICANN process is like being nibbled to death by ducks," said Tom Galvin, VeriSign's vice president for government relations. "It takes forever, it doesn't make sense, and in the end we're still dead in the water."

I'm just shocked, I had to read this again because it is truly stunning, I feel like I've fallen into a parallel universe where Verisign has an innate right to the monopoly they've been granted by the organization they're suing. Heaven forbid that the body created to regulate internet domain name serving actually regulates it! This has to be the most spectacular example of biting the hand that feeds you that I've ever seen. They'd have no business interest if ICANN hadn't handed it to them on a silver platter.

Verisign should lose all control & responsibility of any TLDs for this, it's just amazing that they could attempt to undermine internet infrastructure like this and then brazenly turn around and sue the regulators.

They have no shame, it's time to farm TLD administration out to people who are at least slightly rational.

This is a classic mismatch. This is basically a fixed administrative contract that they acquired, where they sell names and administer a database. These idiots don't understand this and want to "grow the business". Well they can't do that by abusing the monopoly granted them by fucking with their administrative responsibilities. Just do the damned job, if you have ideas for other businesses fine, but don't dick with the core function that it's your DUTY to administer in the public interest as permitted by congress.

They don't seem to understand that they're only supposed to sell and administed a bunch of.com domains. That's their mandate, to administer what is basically a public service. They don't seem to understand that congress & everyone else just wants them to perform this fixed funtion and if they dick with it someone else will be found to do it better without the B.S.

I still can't figure out why they're so spectacularly misguided as to think that this service responsibility gives them the unilateral right to screw with the World's internet infrastructure, and sue the only regulatory body in place to stop their shenanigans.

Its clear that Verisign is irresponsible and can be expected to keep trying to abuse its position running the GTLD servers for.com and.net.
As I understand it, ICANN delegated this role to Verisign, so ICANN ought to be able to take it away.
Can anyone explain the terms of the current delegation? Is there are contract that will expire in a few years? Did Verisign somehow acquire permanant rights?

The mission of The Internet Corporation for Assigned Names and Numbers ("ICANN") is to coordinate, at the overall level, the global Internet's systems of unique identifiers, and in particular to ensure the stable and secure operation of the Internet's unique identifier systems. In particular, ICANN:

1. Coordinates the allocation and assignment of the three sets of unique identifiers for the Internet, which are

If they get their way with site finder, it seems to me a class action suit should be possible.

Since most non-tech people seem to think that the Internet is the web, let's take the web angle in a very simple way.

I have a web site. A potential customer mistypes my domain name in his browser.

1. Without site finder he gets an error and realizes he has mistyped the address, so he corrects the error and comes to my site.

2. With site finder, he comes to a confusing Verisign page. From there on, who knows where he will get. Probably not to my site. Versisgn is unfairly taking business from me.

And what about email? Badly addressed email is replied to with a bounce message. What happens when it goes to Verisign?

Refining on these ideas, I'm sure domain owners with good lawyers could start a class action suit against Verisign.

(I'm glad that in my country, domain names are managed by a monopolistic body [switch.ch] controlled by the state and some universities. It is cheap, fast, simple and efficient, and there is not a single advertisement when registering or managing domain names)

The right place to put a search engine hook for non-existent domains is in the browser. But by lying about the existence of domains that are looked up, Verisign's sitefinder makes it so nobody can write their own host lookup service for a browser. So they are in fact removing the ability of people to write their own handlers for this conditions, aside from how they break all the other non-HTTP protocols.

Verisign should have their contract yanked, as soon as possible. No ifs and or buts.

I will then sue them under the The Anticybersquatting Consumer Protection Act [keytlaw.com] for every possible instance of a domain name that is "confusingly similar" to any trademark I hold. This should work out to several thousand combinations per Mark. (i.e. d0main.com, doma1n.com etc...) Damages are between $1,000 and $100,000 per domain name plus attorney fees. Between myself and anyone else doign this Verisign will be Bankrupt in no time.

'This brazen attempt by ICANN to assume 'regulatory power' over VeriSign's business is a serious abuse of ICANN's technical coordination function.'

But ensuring that the registry operator's systems conform with the official DNS specifications, including negative responses, is a perfectly legitimate technical coordination function.

Nothing in the DNS RFCs suggests that a compliant DNS server can return arbitrarily chosen answers in response to a DNS question regarding an unknown domain. In fact, doing so clearly violates RFC 1035 section 4.1.1, which specifies that the response code 3 ("name error", also known as NXDOMAIN) should be returned for that case.

How can Verisign personnel seriously claim that there is nothing wrong with SiteFinder?

In my opinion, Verisign already breached their contract to operate the registry when they instituted SiteFinder the first time, and ICANN and the Commerce Department should have started a process to award a new contract to a different registry operator. The wholesale fee of $6/domain/year that Verisign gets is ridiculously large to begin with, which makes it seem even more unprofessional that they deliberately sabotage the registry operation to try to make even more money.

It really doesn't matter at all. As soon as that first shot was fired (filing the lawsuit), it was over. VeriSign can't win. Even if they won the lawsuit, they still lose, because ICANN will yank their contract at the first opportunity.

The only way VeriSign can win this is to specify as "damages" for winning that they get to operate.com/.net in perpetuity until they decide they don't want to anymore. And I don't see that happening.